More free Pentesting resources

While I wrote the articles about how to start a pentesting career I came accross more great resources that I did not mention before, so here they are. Most of it is hands-on :).

The Complete Beginner Network Penetration Testing Course for 2019

CTP/OSCE Prep – Wrapping Up Our Prep
Article with OSCE resources.
https://h0mbre.github.io/CTP_Summary/#

Web Application Exploits and Defenses
Online Webapp hacking.
https://google-gruyere.appspot.com/

XSS challenges
Online XSS challenges.
http://xss-quiz.int21h.jp/

XXE Lab
XXE Lab for downloading and hacking.
https://github.com/jbarone/xxelab

Root Me
Hacking challenges online.
https://www.root-me.org/

Cryptopals
Crypto hacking CTF.
https://cryptopals.com/

RingZer0 CTF
https://ringzer0ctf.com/challenges

Damn Vulnerable Web Application (DVWA)
Vulnerable weeb hacking VM (download).
http://www.dvwa.co.uk/

Pentesterlab
List of the free Webapp hacking excercises.
https://pentesterlab.com/exercises?dir=desc&only=free&sort=published_at

Link List with more CTFs and excercises
https://wheresmykeyboard.com/2016/07/hacking-sites-ctfs-wargames-practice-hacking-skills/

Kali Training
https://kali.training/

Vulnhub
Loads of challenges and VMs (downloads).
https://www.vulnhub.com/

Book review The Hacker Playbook 3

The Hacker Playbook 3
Authors: Peter Kim
Content: Main focus is on Red Teaming
Career: Penetration Tester
Level: Intermediate, Expert
Buy at Amazon U.S.
Buy at Amazon Germany

This week I did read the great book The Hacker Playbook 3 by Peter Kim. The focus of the book lies on Red Teaming, it makes sense to read also the first two books if you do not have prior knowledge to penetration testing.


Content:

  • Difference between pentesting and red teaming
  • MITRE ATT&CK framework
  • Tools setup
  • Reconnaissance phase
  • optional lab setup & exercises
  • about web attacks like node.js, nosql injections, deserializiation attacks and more
  • hacking the (windows) network for example with responder, password spraying
  • privilege escalation with misconfigured services, exploit suggester and more
  • mimikatz magic of course
  • attacks on macs with empire
  • bloodhound and sharphound
  • lateral movement using different techniques
  • pivoting
  • social engineering campaings & physical attacks
  • recompile meterpreter dlls for avoiding detection
  • password cracking
  • write your own droppers

I highly recommend this book, especially if you are into Red Teaming it is a good resource. Maybe a report about owing the Cyber Space Kittens lab would have been nice, since reporting in Red Teaming is a non trivial task.

Write-up hackthebox netmon

After the getting started article, here is a walkthrough for hackthebox netmon, to get an impression how to pwn machines. This was a nice one and I guess one of the the easier.

Portscan

Nmap 7.70 scan initiated Thu May 23 21:38:11 2019 as: nmap -A -oA netmon 10.10.10.152
Nmap scan report for 10.10.10.152
Host is up (0.043s latency).
Not shown: 995 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 02-03-19 12:18AM 1024 .rnd
| 02-25-19 10:15PM inetpub
| 07-16-16 09:18AM PerfLogs
| 02-25-19 10:56PM Program Files
| 02-03-19 12:28AM Program Files (x86)
| 02-03-19 08:08AM Users
|02-25-19 11:49PM Windows | ftp-syst: | SYST: Windows_NT
80/tcp open http Indy httpd 18.1.37.13946 (Paessler PRTG bandwidth monitor)
|_http-server-header: PRTG/18.1.37.13946
| http-title: Welcome | PRTG Network Monitor (NETMON)
|_Requested resource was /index.htm
|_http-trane-info: Problem with XML parsing of /evox/about
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.70%E=4%D=5/23%OT=21%CT=1%CU=30959%PV=Y%DS=2%DC=T%G=Y%TM=5CE6F6C
OS:0%P=x86_64-pc-linux-gnu)SEQ(SP=107%GCD=1%ISR=108%CI=I%II=I%TS=A)SEQ(SP=1
OS:07%GCD=1%ISR=108%TS=A)SEQ(SP=107%GCD=1%ISR=108%II=I%TS=A)OPS(O1=M54DNW8S
OS:T11%O2=M54DNW8ST11%O3=M54DNW8NNT11%O4=M54DNW8ST11%O5=M54DNW8ST11%O6=M54D
OS:ST11)WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=2000)ECN(R=Y%DF=Y%T=
OS:80%W=2000%O=M54DNW8NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2
OS:(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=80%W=0%S=Z%A=O%
OS:F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%
OS:T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD
OS:=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=80%IPL
OS:=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=80%CD=Z)
Network Distance: 2 hops
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|clock-skew: mean: 11s, deviation: 0s, median: 10s | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported | message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2019-05-23 21:38:48
|_ start_date: 2019-05-23 21:34:54
TRACEROUTE (using port 1723/tcp)
HOP RTT ADDRESS
1 54.00 ms 10.10.12.1
2 54.08 ms 10.10.10.152
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done at Thu May 23 21:38:40 2019 -- 1 IP address (1 host up) scanned in 29.10 seconds

Connect via FTP

The user hash is easily found:

Now we have a look at the running web server. A PRTG instance is running here. After some searching the web it was clear that this might be a vulnerable version of PRTG (https://www.codewatch.org/blog/?p=453). No login with std creds (prtgadmin/prtgadmin) possible…

But we have the FTP server, which gives us some infomation:Some interesting stuff in the windows dir:

Here the credentials are encrypted. Some research show that in older versions that might be a problem (TODO, link). So I spent some time in finding valid credentials.

Also in c:\windows:

c:\ProgrammData is hidden but can be seen if you access it directly:

Get netmon prtgadmin credentials:

Something interesting in PRTG Configuration.old.bak:

After some trying I found out that the new password was: PrTg@admin2019, so this is something you have sometimes in real life, finding some credentials but still need to try around a bit. Then I followed mostly this description of the vulnerability: https://www.codewatch.org/blog/?p=453

Add a notification:

Leave defaults and choose “Execute Program” with the following settings:

Success, we can now get the hash from the test,txt file:

Pwnd! What I liked on this machine was that you needed to combine vulnerabilities. First find the credentials, then alter them to the working credentials. After that you had RCE.